SonicWall HA standby Firewall's Backup LAN IP address isn't reachable when traffic comes from WAN
03/26/2020 17 12439
Ping request to Standby Firewall backup IP configured under HA | Monitoring doesn't respond to traffic initiated from WAN side of the Active Firewall. If we ping the backup IP within the LAN side then we see backup firewall responds to the echo requests, but when traffic comes with a source IP address other than LAN subnet where monitoring for Primary and secondary IP addresses has been configured, then it doesn't respond as its a standby unit in HA pair.
Standby Firewall responds to the traffic arriving on its X0 interface so we can perform source NAT translation on the active firewall for the Traffic coming from WAN side destined for Standby Firewall back up with its Primary X0 IP so when it arrives at the standby firewall it will appear as local traffic and standby firewall will send it back to the active firewall and then it will forwarded back to where it had come from.
Two NAT policies will be required on active firewall which will allow access to the standby Unit (Primary of Secondary ) IP when traffic is coming from a subnet other than LAN.
Export the Current Firewall settings by navigating to System | Settings | Click on "Export Settings" button. It's also highly recommend to have a backup which can be used a one touch restore point.Plan and arrange a maintenance window before making the required changes.
This article assumes that Monitoring for X0 has been configured under HA | Monitoring, and Primary and Secondary IPs are configured.
Step 1: Navigate to Network | NAT Polices and add the following two NAT Policies:
After adding the above NAT Policies, ping the standby backup IP from VPN or outside LAN Subnet and expect a echo reply . If ping replies aren't being received then check the relevant NAT policy (Depending on which appliance is standby) for it's usage, if no usage is shown, then a restart might be needed by arranging a maintenance window.